Parameter Binding

Hi Experts,

Why would you use parameters binding instead of incorporating the $variable, as I find incorporating a variable much more quicker? I have read that a variable can be injected, but if you write a function to check for key symbols and keywords (like semicolons, DROP, ALTER,...) and encapsulate them in a special way, like "\;", then wouldn't that be sufficient?

Does any one have such a function, or a list of keywords and key symbols?

It is still a good idea to write your routine to check for other kinds of problems. A MySQL query in PHP normally only allows a single query to be made so that helps to some degree.

All these features are kind of like using anti-virus on your computer. Yes, it does slow things down but not doing them makes you more vulnerable to attacks. On some of the web sites I maintain, I keep track of all of the form submissions. People try to break in almost everyday.

No but I wonder about that since SQL injection is supposed to be about that. I should do a test to see if I can make it happen. I am pretty certain that people spamming my forms aren't getting in because I can see the things they put in the forms.

The main advantage of parameter binding is that you're sending information to the DB engine, but you're not modifying a query string. The query string is like a little computer program -- it tells the DB engine what to do. When you start making changes to a PHP variable, especially if you're using external data, it's possible to get the query string wrong.

FWIW, this has never been a problem when I have 100% control over the ways that data get put into the queries, but if you're developing a large application that may have many programmers and many clients, your control may not be that great, and parameterized queries may give you (or your management) a greater sense of security.

0

APD TorontoAuthor Commented: 2015-01-15

Great article Ray,

To answer your question, I will be the only programmer who develop and maintain this software and I always check data input. So, would you use parameterized queries?

0

APD TorontoAuthor Commented: 2015-01-15

I am also leaning towards not using parameters because I want to use MySqli, which does not accept named parameters, where my queries can have up to 20 +parameters.

Can any one provide me with a list of key words and key statements that I need to check for in order to prevent injections?

For a simple older application I have the following in ASP, but I would change the replace to string just to escape the original string, would this be sufficient.

I'll leave your latest question for others to answer, but could you please answer these for me, APD:

Q1. When you say MySQLi doesn't accept named parameters, are you concerned that this makes the code hard to write/read and it's too easy for the programmer to mix up the parameters, or what?

Q2. What if someone legitimately enters a string/word/name which contains any of those words in your banned list? For example, "Mr Droppler" may be a valid name. Would you be happy for your code to change that kind of thing to "Mr pler"?

tel2

0

APD TorontoAuthor Commented: 2015-01-15

Tel2,

A1. As I mentioned some of my queries will have 20 parameters, so having 20 ? marks to fill in and troubleshoot will be very tough.

A2. This is why I asked in my question that I would escape these. Now that I think about it, I think I would only need to escape symbols like semicolon, /*, */, and --. Would that not be sufficient?

The right way to think about the question is with the security mantra: Accept Only Known Good Values. When you plan that way, you build filters for every possible input. Example: If you expect an American phone number, use a filter like this. Same thing goes for all other inputs. Looking for an integer? Don't accept anything that does not pass the appropriate filter. PHP has a lot of built-in filters. See: http://php.net/manual/en/book.filter.php For other, more application-specific, you can write your own filters like this.